The grace period on mobile security is over

By William Jackson

Aug 24, 2012

To date, the adoption of mobile computing has followed a familiar arc: Development of the technology, rapid improvements in functionality driving consumer adoption and commercial exploitation, and the unstructured introduction of these tools into the enterprise by end users.

The result of this pattern has been a scramble to secure unmanaged and inadequately protected devices that introduce new vulnerabilities even as they become embedded in the workplace.

With mobile computing, however, government is trying to jumpstart the security process to help ensure that the threats introduced by new smart phones, tablets and other handheld devices do not outweigh their benefits.

“Like any new technology, smart phones present new capabilities, but also a number of new security challenges, including the need for secure and efficient cryptography suitable for power-constrained devices,” the National Institute of Standards and Technology said in a recent report on its mobile security efforts.

“NIST has ongoing work to identify properties and capabilities of roots of trust needed to secure next generation mobile devices,” the report says. “This work is expected to examine issues relating to boot firmware protections; integrity measurement and reporting of critical firmware and software; secure storage; device authentication; and application and data isolation.”

The reasons that government has a chance to get out in front on mobile security are two-fold. The first is that the administration, learning from the mistakes of the past, wants to be proactive in the adoption of new, consumer-driven technology. The president’s Digital Government Strategy, issued earlier this year, recognizes both the potential and the risks in using mobile devices for delivery of government services to citizen. The NIST report was produced as a result of that strategy.

Equally important, the mobile environment was slow to gain the attention of hackers, criminals and spies. There was a grace period of about five years, as mobile phones became smarter and more common, when it was predicted annually that “next year” would be the year when mobile malware would emerge. It wasn’t until last year that the prophecy was realized.

But although mobile malware is becoming much more common, it remains a tool looking for a job. Although mobile devices are used frequently, in this country at least they still are seldom used in ways that can be easily exploited to make money.

Researchers have identified a mobile bootkit in the wild capable of burrowing deep into the operating system, allowing complete control of the phone and enabling creation of mobile botnets. But asked if a mobile botnet was worth having, Tony Anscombe, senior security evangelist for AVG Technologies, said, “I don’t know.”

As tablets and phones begin to replace laptops, that uncertainty will not last. We have been given a brief window of opportunity to catch up with the bad guys, and both government and industry must take advantage of it.

“As the pace of the technology advancements continues to increase, our current information assurance standards and processes must be updated and new technologies developed to allow the continued use of commercial-off-the-shelf products, allowing government users to access the latest technologies to meet their missions without sacrificing privacy and security,” NIST said in its report.

The agency’s standards and guidelines are being updated to address these issues. With a concerted effort to implement these changes, our next generation of computing might be in a more trusted environment.